back to article What are the security threats?

"Security", as the first article in this series points out, can always be found near the top of the list of concerns of every IT manager and IT director. Unfortunately the same subject can also manage to not quite make it onto the more important list of things to do something about now. Over the years, a diverse array of …

COMMENTS

This topic is closed for new posts.
Silver badge

poor security is not a problem, it's a set of symptoms

Just like you can't pop a pill that'll make you fit and healthy, you can't plop a "security" product into an environment and solve all your woes.

There are, in fact, many parallels between being a healthy person and having a secure computing environment. In fact the process of being secure, like the process of being healthy (or having a good job) are often referred to as having "hygiene factors" as, like personal hygiene, they don't make you healthy/secure, but they stop the opposite from happening.

Like keeping good health, you have to practice good security throughout everything you do. Getting a tan is like installing a firewall - superficially, it makes you look healthy to the outside world but does nothing to prevent internal problems from occurring. In a secure environment, it's not the tools you deploy that make the system secure, it's how you approach the whole issue (though, obviously, the right tools help).

So what we find is that whether a security issue is classed as "malware" (a nice excuse), internal people, accidental or whatever - the underlying cause is that the systems in place and the people behind them allowed a problem to occur. Adding more stuff won't help unless the mindset of a company's employees are changed and the directors of the company are prepared to back them with the policies and money needed to take a professional approach.

Sadly the security industry is packed full of snake-oil sales people, proffering a quick solution. It's also packed with decision-makers after a quick-fix, due to the short-term planning and results based reward sysytem of most companies. Plus of course, there's no objective way to reliably measure how secure a system actually is.

0
0
Anonymous Coward

First sentence fail

> "Security", as the first article in this series points out, can always be found near the top of the list of concerns of every IT manager and IT director

Arse. I've never worked in any company where security was considered near the top of the list *if at all* (usually the latter).

0
0

Invisible elephants in the room.

Maybe I'm being a little bit naive here but it seems to me that there are two startling omissions from that tasty little graphic:

1. Interception of external network traffic by government (UK) agencies.

2. interception of external network traffic by government sanctioned commercial enterprises such as Phorm and Nebuad.

I realise that the general drift of the article is directed at corporate enterprises who will be tunnelling their traffic through VPNs but surely the majority of businesses fall into the Small to Medium sized Enterprises (SMEs) category where such technology is not as widely deployed. But that may turn out to be not such a big problem after all.

Given the UK government's slavish grovelling to the demands of the business community it wouldn't be too surprising if we discovered that a clause had been inserted into some obscure bill, say The Restoration and Maintenance of Ancient Monuments act, which would confer total immunity from network interception on all businesses for all time. Ever.

Now citizen, bend over and assume the position while one of our partners puts it to you in the nicest possible way. No, you can't have a feckin' anaesthetic.

0
0
Silver badge

@Pete

Good commentary. A couple points, though ...

"So what we find is that whether a security issue is classed as "malware" (a nice excuse), internal people, accidental or whatever - the underlying cause is that the systems in place and the people behind them allowed a problem to occur. Adding more stuff won't help unless the mindset of a company's employees are changed and the directors of the company are prepared to back them with the policies and money needed to take a professional approach."

Exactly. Adding more staff won't help, either ... Especially not more middle management.

"Sadly the security industry is packed full of snake-oil sales people, proffering a quick solution. It's also packed with decision-makers after a quick-fix, due to the short-term planning and results based reward sysytem of most companies."

Someone with a clue about security posting on ElReg? How refreshing!

"Plus of course, there's no objective way to reliably measure how secure a system actually is."

Of course not. However, if I go into an organization and observe them for a couple hours (sometimes just a few minutes), I can get a pretty good idea of how secure they are WITHOUT eyeballing any of their so-called "core technology". Security starts with people.

0
0

PEBCAK

Most security problems occur due to the people driving the computers on desks. Whenever I make a deskside visit I usually see the little yellow shield in the systray and when I make a move to install updates.."oh, it always bloody does that, sooo annoying" I ask why they don't let it install the updates and to date haven't had a good answer. - Same with AV dat files, unless all updates are set to install automatically they don't get done.

0
0
This topic is closed for new posts.

Forums